tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2013:/blog//2.4948-2015-03-28T02:59:27ZComments for Friday Squid Blogging: Bobtail Squid PhotoA blog covering security and security technology.Movable Typetag:www.schneier.com,2013:/blog//2.4948-comment:1682060Comment from Jaridatoka.com Keyword3 on 2013-09-06Jaridatoka.com Keyword3http://jaridatoka.com/%d8%ad%d8%ac%d9%85-%d8%b1%d8%a3%d8%b3-%d8%a7%d9%84%d8%b7%d9%81%d9%84-%d8%af%d9%84%d9%8a%d9%84-%d8%b0%d9%83%d8%a7%d8%a6%d9%87/
unquestionably like your web site but you must check the punctuation in several within your posts. A lot of them are filled along with punctuational concerns and I to seek out it pretty disturbing in truth on the other hand I most certainly will absolutely come back once again.]]>
2013-09-06T17:43:59Z2013-09-06T17:43:59Ztag:www.schneier.com,2013:/blog//2.4948-comment:1674915Comment from name.withheld.for.obvious.reasons on 2013-09-05name.withheld.for.obvious.reasons
Timely but off topic:

Senate Foreign Relations Committee

Authorization for the Use of Military Force committee deliberation was made a joke by the senators occupying that committee--except for Rand Paul. During the hearing the import and gravity of the decision to go to War was expressed, some senators suggested that this isn't War...but what is the use of the military? A picnic that includes guns and ammo?

There is a major constitutional issue in this decision and action, actually there are several. First, the use of chemical weapons is not a mechanism by which congress or the president can act or use the military--period. Rand Paul brought up the issue addressing both points. One, the authority to declare War (I argue the authorization for the Use of Force is not equivalent) rests with congress. Two, that there is no authority derived from "the use of chemical weapons" that allows congress or the president to fire a single shot out of a revolver.

There is more--the legislative authorization includes laying the ground work for "regime change". What bull crap. We have a senate that believes that foundational law has limited relevancy. We are screwed. What happens when congress reviews the NSA debacle? I have absolutely no confidence in our government--when it can ignore the tenets, basis, and language of the very law that enables their office--then they are hypocrits and scoundrels. We need to elect persons that understand the what, WHY, where, when, and how of our laws. People express the steadfast support for the rule of law--no we have the rule of [wo]men!

Slashdot reports Mailpile's crowdsourced funding was frozen by PayPal. They've previously blocked funds for both Wikileaks and Bradley Manning fund. I'd like to place a wager that they've become one of Washington's tools to harass projects that undermine Washington's power.

So, there's another threat that people in the Wired article must consider. Their funding could get frozen for mysterious reasons just before their secure solution gets off the ground.

"Secondly, and perhaps not unserprisingly it appears there is a race on to develop a more secure EMail system that is presumably both NSL and NSA proof,"

All the solutions were cute. I say this because, despite good ideas, they don't solve the problem of NSA being able to legally comply you to do their bidding or shutting you down entirely. Even the Chrome extension idea can be subverted from that angle albeit with more steps than usual.

I'll also add that wrapping email as secure messages with modern third party distribution and delivery is easier than securing existing mail protocols and infrastructure. People should focus on that b/c it would be simpler. It also allows things like preview, content scanning, etc to work in corporate settings. One must merely tweak the proxies that move and scramble the emails.

This is actually a very real concern and is one of those "hidden / neglected" security areas much like PABXs and SCADA systems once were, and alows any attacker to hover up truckloads of data as it passes through the router/switch...

Secondly, and perhaps not unserprisingly it appears there is a race on to develop a more secure EMail system that is presumably both NSL and NSA proof,

This may turn into a "Holy Grail" chase for while encrypting the Email contents and making such functionality usable to your granny are solvable problems other issues are not so easy to see workable solutions to. In particular is the issue of routing and it's meta data. The current Email model is "push to send", "pull to receive" which requires as a minimum a third party storage point. This storage point is a vulnerability and not under the control of both parties and often neither of them, thus it's a point of vulnerability. Other communications systems whilst "P2P" for content have the issue of "finding the end point" which again usually involves a directory server or heirarchy which again is not under the control of both parties and frequently neither and it's vulnerable to many attacks as the DNS system has shown over the years and still does.

Even when these mid-point servers are not used for communication just knowing who has made a lookup and when is sufficient with statistical algorithms to do reasonable traffic analysis.

I've looked into how to resolve these mid-point issues in the past when looking at how to control a bot-net without having a vulnerable fixed "head server" for command and control. There are solutions but they have practical issues when dealing with millions of users. One solution that comes to mind is mix-networks with broadly distributed directory services and the use of PK messaging. But the weakness is still the initial "lookup" of contact meta-data.

Thirdly Bruce has an OP-ed on how far ahead the closed community of the NSA et al might be compared to the open community. He covers much of the stuff covered by this blog but lightly and does not mention other areas,

Basicaly some as yet unknown bug is suspected of making a structure that looks a lot like an antenna mast with a high security fence around it in miniture,

The "who, what and why" of it is currently unknown...

]]>
2013-09-05T11:33:56Z2013-09-05T11:33:56Ztag:www.schneier.com,2013:/blog//2.4948-comment:1672624Comment from Figureitout on 2013-09-04Figureitout
Bruce
--I don't know if you've had such a sustained output of Op-Eds for a while, but the last 3 were good. The IEEE was hilarious (what are you doing jacking cards?--Ha), I've had some silly situations w/ RFID cards and gaining access to places doing a nice sidestep of the security just to see how much it isn't protecting me (never anything else nor putting them at more risk than they are already); and I will never forget a very large company's "security" waving in someone using a card w/ a black man (he was white) and someone else just using a random card; just to get legitimate physical access to premises. And from there you can observe. It happened b/c the place was massive and they skimped on competent/vigilant guards.

I also don't know how many backdoors/side channels you have witnessed and tried to figure out; surely a lot of debugging, but you are correct in that these are the main security threat of the 21st century that should be the focus of security engineers. Side effects, unintended consequences, and side channels; the recipe for a paranoia heartattack. Too many modules, too many shipping places for a final single product, automated Wifi/Bluetooth that should be separate modules to add if you want. Circuits too small us mere mortals and individuals w/o $$ can't afford the equipment to properly test these circuits; have to rely on "simulations of reality", pfft. Implement the math (crypto) on a secure platform and I can finally get a nice night of sleep. I trust the math too, I think....

Nokia doesn't really have anything to offer MS at this point, and MS certainly doesn't have anything to offer Nokia

Not entirely. M/S can still try to capitalise on the still huge Nokia user base as it totally missed out on the smart phone market, and for Nokia it's a way of averting the chronicle of a death foretold.

It would have made sense in 2002. Today, it looks a bit like putting two turkeys together hoping an eagle will come of it.

Realistically, MS should have bought Blackberry. Blackberry has always been the businessman's phone. Out in the suburbs & such you'll see iPhones. Come to Manhattan and you'll see iPhones (think advertising, fashion, media) and Blackberries (Finance, legal, business). Even now, people are still using their 5+ year old Blackberries.

An MS-Blackberry partnership would have been good. 99% chance Blackberry users were using MS Office and often MS Exchange to begin with. MS could do a proper integration and have made it something wonderful.

Then again, MS could use its crack-pot focus groups and turn out another turd like Windows 8 or Windows Phone.

]]>
2013-09-04T19:07:56Z2013-09-04T19:07:56Ztag:www.schneier.com,2013:/blog//2.4948-comment:1667601Comment from Kevin on 2013-09-03Kevin
Quick question: is anyone else having trouble accessing this blog through Tor? I have been trying for about three weeks and it always says the connection has timed out.]]>
2013-09-04T01:19:47Z2013-09-04T01:19:47Ztag:www.schneier.com,2013:/blog//2.4948-comment:1666729Comment from Clive Robinson on 2013-09-03Clive Robinson
OFF Topic :

As you have probably heard Microsoft is to buy Nokia.

Both companies have been losing market share etc for some time. Many (slightly incorrectly) view Nokias woes as being due to the use of Microsofts OS for mobile/smart phone devices, others attribute it to taking on an Ex MS staffer in a senior role.

What ever the actual causes Steve "balmy" Balmer is crowing about the aquisition to MS Full Time Staff (not the PTs or orange badge workers/contractors).

However, some of these solutions do some strange things, like individually encrypt every word in a document or SaaS application, rather than do the entire block of plaintext at once. In addition, they claim to be able to sort and search within these encrypted strings without first decrypting them...

If what you are saying is true they are using a "code book" mode on the words or strings. It's also known as "a weak substitution" system.

Look at it this way in non specialised english about two thousand words are used ordinarily with another two to five thousand specialised words. This gives around 2^13 substitutions, so even using AES with an output block size of 128bits you are only using 1/2^115 of the available output.

Such "code book breaking" is crackable to an easily readable state with around ~90words of a document of known or reasonably guessable context.

The weakness of such "code book" systems has been known for a couple of centuries which is why they usually get used not to "encrypt" but "compress" a document, the actual encryption and the security of the system being done with "Super Encryption" which if done with an One Time Pad properly would be theoreticaly unbreakable.

But if "super encryption" was used in the system you describe then "decryption" of some sort would have to be performed.

]]>
2013-09-03T16:04:34Z2013-09-03T16:04:34Ztag:www.schneier.com,2013:/blog//2.4948-comment:1665913Comment from adrenalion on 2013-09-03adrenalionhttp://crypto.stackexchange.com/
The revelation of the NSA surveillance has caused legitimate (albeit belated) concern about the security of all the data that organizations have been moving to the cloud. As a result, a number of companies have popped up and are touting their encryption services as a way to protect data.

However, some of these solutions do some strange things, like individually encrypt every word in a document or SaaS application, rather than do the entire block of plaintext at once. In addition, they claim to be able to sort and search within these encrypted strings without first decrypting them! And they claim to do all this using NIST-approved crypto.

To me, this sounds too good to be true, so: What are the implications of encrypting short text strings, in a way that allows some manner of search and sort capability? Is there a way to quantify how much more crackable the data is? Or is there a way to determine the likelihood of collisions?

In the EU some politicos are getting tough and talking of trade sanctions against the US over the illegal activities of the NSA on European soil

I watched the Merkel-Steinbrück debate yesterday and the NSA topic was indeed brought up. Although challenger Steinbrück has been trying to capitalise on the matter for a while and Merkel is definitely on the defensive, the Bundeskanzlerin according to the latest polls still has a very comfortable lead. In addition, Steinbrück has very little credibility on the issue as his SPD party in previous coalitions was part of the government (thus fully aware of what was going on) and less than enthusiastic about a proposal by the left and green parties for a full parliamentary investigation into NSA surveillance practices. I don't expect anything to come out of it soon.

In South America on the other hand, Greenwald has been doing an excellent job in stirring up several governments againt the US. After the Morales incident and revelations about massive communications hoovering in Brazil, the Brazilian and Mexican governments have just demanded a formal explanation from the US over new claims that the NSA spied on their presidents.

One question: AFAIK France has some seriously restrictive laws and regulations about the use of cryptography. Have you got this angle covered for Gith ?

The french laws around cryptography are not really restrictive anymore as long as your product is not considered as a "military product".
I just met the ANSSI today, and concerning Gith I simply need to make a simple declaration to be able to "export" it outside france. That's all !

Concerning the "meta-data", I'm supposed to keep the IP addresses and user names for a period of one year. This doesn't apply to the contents hopefully.
I don't seem to be exposed to the same sad problems than Silent Circle and Lavabit had encountered last week.

]]>
2013-09-02T19:50:25Z2013-09-02T19:50:25Ztag:www.schneier.com,2013:/blog//2.4948-comment:1662676Comment from Figureitout on 2013-09-02Figureitout
Chirp Chirp you say? BS, who do you work for?!]]>
2013-09-02T19:05:55Z2013-09-02T19:05:55Ztag:www.schneier.com,2013:/blog//2.4948-comment:1662601Comment from Aspie on 2013-09-02AspieOr is the NSA already checking him out?

Probably from the moment he dialled the last digit to their help-line. As a side-note, I heard that NSA types are known to use their access to check the fidelity of their nearest and dearest. They call it LOVEINT, apparently.

Nothing like insecurity and paranoia to grease the wheels of "progress".

]]>
2013-09-02T18:30:21Z2013-09-02T18:30:21Ztag:www.schneier.com,2013:/blog//2.4948-comment:1661705Comment from an on 2013-09-02an
Regarding the
Private-Public partnership:

155 Comments:
As far as I am concerned, private snooping is a hundred times more troubling .... ....

]]>
2013-09-02T11:12:58Z2013-09-02T11:12:58Ztag:www.schneier.com,2013:/blog//2.4948-comment:1661580Comment from Tom on 2013-09-02Tom
I'm wondering a couple of things:
What if he would have given his contact information?
And what if he would have given the contact information of some else?
Or is the NSA already checking him out?

It's maybe a good suggestion for the NSA to offer such a service so they can make GOOD use of (at least a part of) the tons of data they collect.

Caller: "so ... you don't keep track of email and internet data?"
NSA: "... not [in] the way you're saying."

Splendid!

]]>
2013-09-02T09:44:19Z2013-09-02T09:44:19Ztag:www.schneier.com,2013:/blog//2.4948-comment:1661353Comment from Tom on 2013-09-02Tomhttp://www.youtube.com/watch?v=-qrlDGhoI1Q
hilarious call from a dutch journalist to the NSA:http://www.youtube.com/watch?v=-qrlDGhoI1Q

I somehow missed @Nick P's review of Gith a while ago, but if I can spare some time I'm definitely going to give it a good test drive in the days to come. It's heartwarming to come across a growing number of non-USUK (pun intended) companies taking up security/privacy related software, and I seriously hope/believe the market for such products is only going to expand dramatically in the time to come.

One question: AFAIK France has some seriously restrictive laws and regulations about the use of cryptography. Have you got this angle covered for Gith ?

]]>
2013-09-01T20:25:48Z2013-09-01T20:25:48Ztag:www.schneier.com,2013:/blog//2.4948-comment:1659432Comment from Alex on 2013-09-01Alex
I know it's not SQUId, but I'd like to talk about SQUIrrels instead, and the threat they pose to our national security.

Closer to home, earlier this year half a million people were without water service in the city of Tampa, Florida due to a squirrel. It would be 3 days later before everything was restored and the water was declared safe to drink. http://tbo.com/news/politics/-million-to-squirrel-proof-tampa-water-plant-b82492875z1 I also find it difficult to believe that no one ever bothered to reinforce this particular feeder against hurricane winds, but then again, it's the City of Tampa and they do everything half-arsed.

Now I don't know if this is for real or not because Germany has elections in three weeks and it might just be pre-election "tough talk" to gain extra votes. Perhaps German and other continental Europeans would care to express their views?

However there is another issue that is now coming up to bite politicos in the US and UK and other nations. It's the thorny issue of "what rights do individuals have in borders and internacional waters and airspace"? Both the US and UK pretend that you have none, but it's actually not true as both nations have signed international treaties and signed up to UN and other conventions.

Thus contrary to what the likes of US and UK border officials would have you belive you do have rights that they can arbitarily or with juresdictional laws ignore.

And some journalists are now starting to dig into this and make some of your rights visable,

Glad to see you're continuing to improve your software. Congratulations on successfully handling the breach of hosting provider a while back, both damage prevention and notifying your users. That and the clear warnings you give about the beta inspires some trust in your organization. ;) If I find time, I'll check out your software and see what using it is like. No promises, though.

Btw, nice video of MITM attack. I'd kind of feel that the middle person should say something that would worry the other two more. Yet, the video had also seemed more laid back than most. I was torn between which direction to suggest you go on that. I think you can improve its effect if you change the conversation a bit but keep everything else the same.

Random extra. NoScript results in some funny error messages sometimes. Before I allowed scripts the video player said "DailymotionPlayer is not defined at undefined line undefined." Very enlightening. I'm sure tech support people love debugging information like that.

]]>
2013-09-01T14:06:06Z2013-09-01T14:06:06Ztag:www.schneier.com,2013:/blog//2.4948-comment:1658960Comment from Benoit on 2013-09-01Benoithttp://www.gith-systems.com
@Nick P. : A few weeks ago, in a very interesting review of Gith, you were regreting that no linux version was available.

That's fixed ! (https://www.gith-systems.com/download/)

Concerning the fact that and independant review would be a "plus" : I'm working on that. I'll meet the "ANSSI" (the French organism for IS security) very soon, which is a first step.
Being evaluated by real private and independant labs is most of the time quite expensive, and I'm not ready for that yet !

And speaking of delays and prevarications involving courts as many know the US Patent system alows "software patents" which most other juresdictions don't currently. The EU for instance has been humming and harring on the subject since the last century one way or another. Although lobbied for strongly by large US software firms in general the evidence suggests that far from helping software invoation and thus promoting and developing a software economy it infact only brings benifit to those excercising what is in effect a strangle hold monopoly. Unsuprisingly this has been seen before in other technical development activities. Thus perhaps unsuprisingly New Zealand has passed legislation preventing it by 117-4 votes.

Part of the problem has been telling a "process" which is patentable in most juresdictions from a software program or other human activity that is not. The main problem of which is that "process" is one of those weasle words that those of the legal proffession love to argue over at others expense.

As an engineer I've been involved with patents one way or another for some years and what has struck me the most is their arbitary nature and the capricious nature of many involved with them. All I can realy say for them is that in modern times they appear not to be a solution for "the public good", especialy where fast inovation is concerned.

]]>
2013-09-01T09:55:59Z2013-09-01T09:55:59Ztag:www.schneier.com,2013:/blog//2.4948-comment:1658025Comment from Michael Mol on 2013-09-01Michael Molhttps://github.com/mikemol/msgpass
So, I've just published to Github an early-alpha spec for a message passing system I've had brewing in my head for a week or two. URL to relevant repo is presented as the "URL" metadata field in this form. Looking for feedback.]]>
2013-09-01T05:02:10Z2013-09-01T05:02:10Ztag:www.schneier.com,2013:/blog//2.4948-comment:1657886Comment from on 2013-08-31
From New York Magazine: "The NYPD Division of Un-American Activities"

It describes a unit that was set up after the 2001 attacks, but again, repeating an old pattern:

The NYPD had last been involved in such surveillance activities during the sixties, when there was an NYPD “extremist desk” to watch antiwar groups and a “black desk” to investigate African-Americans. Police maintained hundreds of thousands of case files and more than a million index cards containing names of citizens whose activities were deemed suspicious.

There's a lot of detail I hadn't seen before about how the would-be informants went about their business. One unexpected tip: If you want less scrutiny at your cafe or deli, serve terrible food.

What's happened since 2001 looks less and less like an unprecedented expansion and more like the NSA trying to get back to where it was before the Internet went mainstream.

This article also gives the earliest cite I've seen for the "we can't make this innocuous-looking information public because terrorists might find it useful" attitude, tracing it to the Carter(!) administration.

]]>
2013-09-01T03:51:13Z2013-09-01T03:51:13Ztag:www.schneier.com,2013:/blog//2.4948-comment:1657755Comment from martino on 2013-08-31martino
Mess with Canadians and we'll try ramming you with our navy ships (if we can navigate around our own first that is):

]]>
2013-09-01T02:56:23Z2013-09-01T02:56:23Ztag:www.schneier.com,2013:/blog//2.4948-comment:1657622Comment from NobodySpecial on 2013-08-31NobodySpecial
Even if they did succeed - What could Microsoft, Google and indeed the US govt, do at this point to make people actually believe them?

For example - We don't manufacture certain critical components of our product in China because we know that whatever the law says they will be copied. We don't sell in Russia or most of Africa (except SA) because we know we will never get paid and the legal system won't help us.
]]>
2013-09-01T01:53:16Z2013-09-01T01:53:16Ztag:www.schneier.com,2013:/blog//2.4948-comment:1657085Comment from Nick P on 2013-08-31Nick P
Very interesting and kind of surreal article below.

Hard to tell ahead of time whether not knowing these things is a huge drawback or a benefit [seeing how online privacy has become]. I'm sure many will enjoy the new functionality. However, I'm sure there will be others whose conviction or betrayals by other crooks will see it as a huge risk.

In other news, Twitter is all a-twitter about it's coming IPO. (I lost the link. Sorry.)

Could it be that Macgillivray is gettin' while the gittin' is good, before Twitter goes public and the NSLs start raining down?

]]>
2013-08-31T18:28:36Z2013-08-31T18:28:36Ztag:www.schneier.com,2013:/blog//2.4948-comment:1656379Comment from kashmarek on 2013-08-31kashmarek
Bruce has said fight rather than switch. He should be here until they take him out.]]>
2013-08-31T17:53:03Z2013-08-31T17:53:03Ztag:www.schneier.com,2013:/blog//2.4948-comment:1656025Comment from Herman on 2013-08-31Herman
So, now PJ at Groklaw is also shutting down. I wonder how long this site will last. It was nice knowing you Bruce... ;)]]>
2013-08-31T15:39:34Z2013-08-31T15:39:34Ztag:www.schneier.com,2013:/blog//2.4948-comment:1655586Comment from Clive Robinson on 2013-08-31Clive Robinson
OFF Topic :

It would appear that President Obama is still up to dirty tricks and what most of us would regard as lies,

]]>
2013-08-31T12:57:00Z2013-08-31T12:57:00Ztag:www.schneier.com,2013:/blog//2.4948-comment:1655268Comment from Spellucci on 2013-08-31Spellucci
Can the Racketeering Influenced and Corrupt Organizations Act (RICO) laws be used to to push back against FISA, NSA, et al.? I would love to see a conspiracy charge leveled against the NSA and the Bluffdale, Utah police seizing the NSA's new data center as evidence the day it opened. Better yet, the NSA could not have it back until after a trial. But then I always long for simple answers to complex problems. ]]>
2013-08-31T10:59:40Z2013-08-31T10:59:40Ztag:www.schneier.com,2013:/blog//2.4948-comment:1655035Comment from Aspie on 2013-08-31Aspie
Some imminent grandstanding to try to stem the growing tide of mistrust amongst their users.

So, probably more detailed aggregate figures of numbers of requests ... rather than some of their remaining users getting individual conciliatory emails.

]]>
2013-08-31T08:44:53Z2013-08-31T08:44:53Ztag:www.schneier.com,2013:/blog//2.4948-comment:1654810Comment from Godel on 2013-08-30Godel
This week's New York Times etc. hack apparently involved a phishing email.

]]>
2013-08-31T02:28:56Z2013-08-31T02:28:56Ztag:www.schneier.com,2013:/blog//2.4948-comment:1654560Comment from Curious on 2013-08-30Curious
I realize now that GG's message ends up being both specific and vague, depending on ones interpretation. Like a conditional denial of something, that might be somehow true outside the stated condition.]]>
2013-08-30T23:12:35Z2013-08-30T23:12:35Ztag:www.schneier.com,2013:/blog//2.4948-comment:1654555Comment from Curious on 2013-08-30Curious
Glenn Greenwald's twitter account has this message: *shrugs*
"Anyone claiming that David Miranda was carrying a password that allowed access to documents is lying. UK itself says they can't access them."]]>
2013-08-30T23:09:00Z2013-08-30T23:09:00Ztag:www.schneier.com,2013:/blog//2.4948-comment:1654538Comment from Curious on 2013-08-30Curious
Correct me if I am wrong, but I did not see this story here the last week:

In my country, one of the bigger if not the biggest newspaper had this piece of news seemingly hidden away as a small Reuters-like notice (NTB), which I only found on their website by searching for it the day after I initially learned about this.

]]>
2013-08-30T22:52:51Z2013-08-30T22:52:51Ztag:www.schneier.com,2013:/blog//2.4948-comment:1654505Comment from Herman on 2013-08-30Herman
It doesn't matter if Miranda carried a password on a piece of paper. The NSA has all the original plaintext, so they don't need to decrypt it.
]]>
2013-08-30T22:26:32Z2013-08-30T22:26:32Ztag:www.schneier.com,2013:/blog//2.4948-comment:1654466Comment from Calvin Li on 2013-08-30Calvin Li
It is reported that David Miranda was carrying a password (related to data leaked by Snowden) on a piece of paper.